Blog

Adaptive Behavioral Authentication In The Enterprise

Adaptive authentication involves combining multiple authentication methods to provide the ideal compromise between convenience, security, and costs. This is more contextual in nature and rely on a more implicit form of authentication based on user sessions as opposed to explicit primary authenticators such as PINs, passwords, OTPs, fingerprints and the like.

Financial institutions have been part of the early evolution of adaptive authentication from credit card fraud detection systems to the current systems tackling online banking fraud. Enterprises are now warming up to the adoption of adaptive authentication access especially with technologies such as mobile push notifications and on-device biometrics such as fingerprint. Key to this move will be combining adaptive techniques with continuous authentication to maintain identity assurance levels while the user is logged into sessions - from login to logout - getting into the realm of adaptive behavioral authentication.

The Adaptive Authentication Engine

The brain of current adaptive authentications systems is the Auth Engine, which evauates contextual information as well as a set of parameters including unique deviceID, geolocation data, rooted device among others and makes decisions such as allow, deny, or additional step up authentication.

In the case of successful authentication, the user access is transparent and happens behind the scenes without interrupting the user. Additional step up authentication usually involves out-of-band mechanisms such as SMS OTP, push notifications, and/or on-device biometrics.

Enterprise Adaptive Access

With employees, partners, vendors, customers, and in-house consultants bringing in their own devices into the enterprise has seen enterprises having to deal with the a very fragmented security environment including in some cases having no control over the end devices. All this has lead to enterprises having to rethink their authentication techniques and access levels based on risk and user category.

Traditional authentication mechanisms such as hardware tokens and smartcards provide a higher level of assurance of user identity at the initial entry point, but this assurance goes down as the user is within the session or if the session is hijacked. This is in addition to the higher total cost of ownership and usability issues associated with these mechanisms.

Where Is Enterprise Adaptive Authentication Heading?

The current crop of adaptive authentication solutions does provide a step in the right direction by elevating the identity assurance levels during the initial login, but still doesn't solve the problem of identity assurance over the course of a user's session. This is where continuous authentication would play a critical role to help maintain the assurance levels throughout the user session - from login to logout. Both task-based and secondary methods of continuous authenticaton techniques will need to be employed for sustained continuous authentication and usability.

Our experience shows that early adopter enterprises are replacing traditional authentication modes and evolving towards a more continuous behavioral authentication modality and incorporating mobile push as a second factor with on-device biometric solutions.

Adaptive Behavioral Authentication

Enterprises are also exploring adaptive behavioral biometrics technologies - a field of study that seeks to identify unique patterns in the way people perform various activities, such as the way a person swipes the mobile touch screen or even how they walk .

Behaviometrics is a form of dynamic biometric authentication that has shown promise to address the continuous frictionless authentication problem by allowing the device to identify the user without the user doing any explicit authentication actions while providing a strong form of authentication. Behavioral biometrics identifies users based upon their behavior rather than upon fixed physical characteristic (such as a fingerprint). Behavioral biometrics learn patterns in user behavior in order to build a user identification model and authenticates the user based on whether their behavior conforms to the recorded model of the user behavior.

For several lower assurance use cases within financial institutions and enterprises, adaptive behavioral authentication is coming of age to replace passwords for transparent user access. For higher assurance use cases behavioral authentication is used as an additional security layer on top of existing explicit access mechanisms.

Mobile Push Authentication

Mobile push based multi-factor authentication along with adaptive authentication will help dramatically alter the cost and friction challenges involved with traditional authentication technologies. PINs, passwords, and OTPs are inconvenient, annoying, and insecure. A constant drain on productivity and user experience - these represent an ever-increasing risk and expense to the enterprise. Mobile push based authentication help reduce dependance on these and help improve usability and security.

Local on-device biometrics

Local on-device biometrics (such as TouchID) leverages the smartphones existing sensors to create an authentication model to train and authenticate the user without having any personally identifiable information leave the device. The FIDO alliance Universal Authentication Framework (UAF) protocol is one such specification that support this experience, where the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, etc. The UAF protocol allows the service to select which mechanisms are presented to the user. Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device.

The second factor FIDO experience is supported by the Universal Second Factor (U2F) protocol. This experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login.

The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.

Where Does That Leave Us

Adaptive behavioral authentication within the enterprise is still coming of age as we see more deployments combining continuous authentication, moble push, on-device biometrics and deep integration with enterprise SSO and other APIs.

Current authentication systems including static biometfics focus on the initial authentication and therefore not well suited for maintaining assurance over the course of the session which makes continuous authentication an important milestone that several vendors are now working on to acheive.

Learn more on Zighra's adaptive behavioral authentication solutions for the enterprise: